[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Global networking change in our AWS accounts



On Tue, Nov 16, 2021 at 10:16:38PM +0100, Bastian Blank wrote:
> Hi folks
> 
> We like to do a global change to the way the network is setup on the new
> AWS accounts.  The goal is to reduce the amount of global IPv4 addresses
> to a minimum, as those are an increasingly rare comodity nowadays.
> 
> We will
> - use NAT gateways for all outgoing IPv4 traffic, and
> - allow use of IPv4 via load balancers for some kinds of traffic.
> 
> This means for you as a user that
> - IPv6 will work in either direction and can be used to access instances
>   at will (subject of security groups off course),
> - IPv4 outgoing will work and all instances use the same address to the
>   outside,

For ci, we are working with the security team on testing embargoed
security updates, and for that we need a unique IP address, because it
will be added to an ACL on the security repository side.

I would like the central server to have its unique public IPv4 address
for this.

> - IPv4 incoming will _not_ work with a public IP assigned to an
>   instance, and
> - IPv4-only or (better) dual-stack network load balancers can be used
>   for stuff like HTTP access for users.

This means that all incoming HTTP access has to go through the admins
first. Is there a way to do this without creating a bottleneck or a
SPoF?

Attachment: signature.asc
Description: PGP signature


Reply to: